Re: postfix miltiligne greeting patch

[m...@smtp.fakessh.eu]

Le lundi 27 juin 2011 00:59, Wietse Venema a écrit :
> m...@smtp.fakessh.eu:
> > this patch it is safe ?
> >
> > http://pastebin.com/
>
> Ask the maintainer. I don't review code unless I have plains to
> maintain it.
>
>   Wietse


I do not know the day of simon mudd github now I know

thanks Wietse for the great patience

-- 
 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
 gpg --keyserver pgp.mit.edu --recv-key 092164A7


pgp6xNzDmtvwA.pgp
Description: PGP signature

Re: How to restrict local users to use the sendmail command?

[Noel Jones]

On 6/26/2011 3:12 PM, Ralf Hildebrandt wrote:

* Georg Sauthoff:


Since procmail(1), and other utilities need to be able to forward mail
while retaining the original envelope sender address, restricting the
envelope sender address in sendmail would be quite disruptive. Postfix
does not provide such a feature.


Ok, that makes sense.

Thanks for the clarification.


You might be able to use mini_sendmail (which uses SMTP) and SMTP-AUTH
to restrict the envelope sender a certain users can use. But I'm not
sure if it can use SMTP-AUTH :»



mini_sendmail doesn't do AUTH, so it wouldn't be possible to 
restrict which users are able to send mail.


Maybe Georg can use the postfix sendmail(1) command to limit 
which users can send mail, and a content_filter (which can be 
a postfix listener) to reject unauthorized MAIL FROM names.



  -- Noel Jones

Re: e-mail problem

[Wietse Venema]

JonL:
> I'm having an issue where the email is not showing up in the client
> (in this case OL2003 using imap as the protocol.  I'm wondering
> if I activate pop3 on the server and the mail comes to the client
> can I turn off imap without causing any damage or lost of my email
> going from pop3 to imap?

Please visit the right mailing list.
Postfix is not a POP server.
Postfix is not an IMAP server.

Wietse

e-mail problem

[JonL]

I'm having an issue where the email is not showing up in the client (in this 
case OL2003 using imap as the protocol.  I'm wondering if I activate pop3 on 
the server and the mail comes to the client can I turn off imap without causing 
any damage or lost of my email going from pop3 to imap?


Jon

Re: postfix miltiligne greeting patch

[Wietse Venema]

m...@smtp.fakessh.eu:
> this patch it is safe ?
> 
> http://pastebin.com/nQ4hAv3x

Ask the maintainer. I don't review code unless I have plains to
maintain it.

Wietse

Re: postfix mysql dovecot cyrus-sasl "relay access denied"

[Patrick Ben Koetter]

* brian shanahan :
> -- basics --
> Postfix: 2.7.4
> System: Fedora release 14 (Laughlin)
> 
> -- smtpd is linked to --
> libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x7f646f313000)
> 
> -- active SMTP AUTH and TLS parameters for smtpd --
> broken_sasl_auth_clients = yes
> smtpd_sasl_auth_enable = yes
> smtpd_sasl_authenticated_header = yes
> smtpd_sasl_path = /var/spool/postfix/private/auth

smtpd_sasl_path should be a path relative to the Postfix queue directory like
this:

smtpd_sasl_path = private/auth


> smtpd_sasl_security_options = noanonymous
> smtpd_sasl_type = dovecot
> smtpd_tls_auth_only = no
> smtpd_tls_cert_file = /etc/postfix/postfix.pem
> smtpd_tls_key_file = $smtpd_tls_cert_file
> smtpd_tls_received_header = yes
> smtpd_tls_session_cache_timeout = 3600s
> smtpd_use_tls = yes

... 

> -- end of saslfinger output --

You want to use Dovecot as authentication provider and let Dovecot access a
MySQL database for authentication, right?

Can you login to Dovecot with an account that has been defined in the MySQL
Database?

Does Dovecot create a socket in /var/spool/postfix/private/auth?

Can Postfix (user: postfix) read/write from/to that socket?

What does Dovecot log, when you try to auth?

How do you try to authenticate?

Have you tried a telnet session on port 25 and/or 587?


I'll be offline for a while. It's lage night in Germany ... ;)

p@rick


-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

postfix mysql dovecot cyrus-sasl "relay access denied"

[brian shanahan]

Sent the first one from a broken mail acct... Here is my postconf -n and
saslfinger outputs:

alias_maps = hash:/etc/mailman/aliases
bounce_queue_lifetime = 4d
broken_sasl_auth_clients = yes
command_directory = /usr/sbin
config_directory = /etc/postfix
daemon_directory = /usr/libexec/postfix
data_directory = /var/lib/postfix
default_destination_concurrency_limit = 5
default_privs = nobody
default_process_limit = 300
disable_vrfy_command = yes
home_mailbox = Maildir/
html_directory = no
in_flow_delay = 1s
local_destination_concurrency_limit = 5
local_recipient_maps =
mail_owner = postfix
mailbox_command = /usr/libexec/dovecot/deliver
mailbox_transport = dovecot
mailq_path = /usr/bin/mailq
manpage_directory = /usr/share/man
maximal_queue_lifetime = 4d
message_size_limit = 10485760
minimal_backoff_time = 3600s
mydestination = $myhostname
mydomain = cruiseplanners.com
myhostname = mail.cruisesystem.com
mynetworks = 127.0.0.0/8, 192.168.0.0/24, 192.168.5.0/24, 66.175.103.224/28,
72.17.187.154/32
newaliases_path = /usr/bin/newaliases
owner_request_special = no
queue_directory = /var/spool/postfix
readme_directory = /usr/share/doc/postfix-2.7.4/README_FILES
recipient_delimiter = +
sample_directory = /usr/share/doc/postfix-2.7.4/samples
sendmail_path = /usr/sbin/sendmail.postfix
setgid_group = postdrop
smtp_connect_timeout = 300s
smtp_helo_timeout = 300s
smtpd_client_connection_count_limit = 20
smtpd_client_connection_rate_limit = 20
smtpd_client_message_rate_limit = 20
smtpd_client_restrictions = permit_mynetworks,
 hash:/etc/postfix/access,
permit_sasl_authenticated, permit
smtpd_data_restrictions = permit_mynetworks,
 permit_sasl_authenticated,  reject_unauth_pipelining,
permit
smtpd_etrn_restrictions = reject
smtpd_helo_required = yes
smtpd_recipient_restrictions = permit_mynetworks,
permit_sasl_authenticated,
 check_recipient_access  hash:/etc/postfix/whitelist_recipient,
 check_client_access hash:/etc/postfix/whitelist_client,
reject_unauth_destination,
check_client_access  regexp:/etc/postfix/permit_client_nots25r,
 reject_unauth_pipelining,
reject_non_fqdn_sender,reject_non_fqdn_recipient,
reject_unknown_sender_domain,
reject_unknown_recipient_domain,
 reject_invalid_hostname,
 reject_multi_recipient_bounce,  check_helo_access
   regexp:/etc/postfix/reject_helo
check_sender_ns_access hash:/etc/postfix/reject_ns
check_sender_mx_access hash:/etc/postfix/reject_mx
   check_sender_ns_access regexp:/etc/postfix/check_ns
  check_recipient_access mysql:/etc/postfix/mysql-recipient.cf,
  check_client_accessregexp:/etc/postfix/prepend_client
  reject
smtpd_restriction_classes = check_sender_apacheinfo check_helo_19info
check_sender_info   reject_client_blackip
smtpd_sasl_auth_enable = yes
smtpd_sasl_authenticated_header = yes
smtpd_sasl_path = /var/spool/postfix/private/auth
smtpd_sasl_security_options = noanonymous
smtpd_sasl_type = dovecot
smtpd_sender_restrictions = permit_mynetworks,
 hash:/etc/postfix/access,
permit_sasl_authenticated,
reject_unknown_sender_domain,
 reject_non_fqdn_sender, permit
smtpd_tls_auth_only = no
smtpd_tls_cert_file = /etc/postfix/postfix.pem
smtpd_tls_key_file = $smtpd_tls_cert_file
smtpd_tls_received_header = yes
smtpd_tls_session_cache_timeout = 3600s
smtpd_use_tls = yes
soft_bounce = no
strict_rfc821_envelopes = no
tls_random_source = dev:/dev/urandom
unknown_local_recipient_reject_code = 550
virtual_alias_maps =
hash:/var/lib/mailman/data/virtual-mailman,mysql:/etc/postfix/
mysql-virtual.cf
virtual_mailbox_base = /home/vmail
virtual_mailbox_domains = mysql:/etc/postfix/mysql-virtual-domains.cf
virtual_mailbox_maps = mysql:/etc/postfix/mysql-virtual-maps.cf
virtual_transport = maildrop

-
saslfinger -c
--

[root@newmail ~]# saslfinger -c
saslfinger - postfix Cyrus sasl configuration Sun Jun 26 17:53:40 EDT 2011
version: 1.0.2
mode: client-side SMTP AUTH

-- basics --
Postfix: 2.7.4
System: Fedora release 14 (Laughlin)

-- smtp is linked to --
libsasl2.so.2 => /usr/lib64/libsasl2.so.2 (0x7f7d2cba9000)

-- active SMTP AUTH and TLS parameters for smtp --
No active SMTP AUTH and TLS parameters for smtp in main.cf!
SMTP AUTH can't work!

-
saslfinger -s
---

[root@newmail ~]# saslfinger -s
saslfinger - postfix Cyrus sasl configuration Sun Jun 26 17:45:20 EDT 2011
version: 1.0.2
mode: server-side SMTP AUTH

-- basics --
Postfix: 2.7.4
System: Fedora releas

Re: postfix miltiligne greeting patch

[m...@smtp.fakessh.eu]

Le dimanche 26 juin 2011 21:27, Wietse Venema a écrit :
> m...@smtp.fakessh.eu:
> > Le dimanche 26 juin 2011 20:54, Wietse Venema a ?crit?:
> > > m...@smtp.fakessh.eu:
> > > > I just set up the multi-line greeting patch .
> > >
> > > What patch? The official Postfix documentation has no multi-line
> > > banner support.
> >
> > is it possible to declare a personal banner
> >
> > http://postfix.wl0.org/en/smtpd-multiline-banner/
>
> As documented by its author, this patch implements multi-line banner
> support to the POSTFIX SMTP SERVER. Again, if this does not work
> as you expect, please contact the maintainer of this patch.
>
>   Wietse
>
> > > > So I have to declare another banner and surprise the result is not
> > > > comparable with the official documentation.
> > >
> > > If it does not work, ask the maintainer.
> > >
> > >   Wietse
> >
> > --
> > ?http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
> > ?gpg --keyserver pgp.mit.edu --recv-key 092164A7
>
> -- End of PGP section, PGP failed!


this patch it is safe ?

http://pastebin.com/nQ4hAv3x
-- 
 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
 gpg --keyserver pgp.mit.edu --recv-key 092164A7


pgpqFQJeBaY59.pgp
Description: PGP signature

Re: new postfix mysql dovecot sasl server "relay access denied"

[Patrick Ben Koetter]

* Brian Shanahan :
> I know the subject seems trivial, but i launched a new mail server Friday
> night and have been fighting this all weekend. Very desperate now. I truly
> think it boils down to SASL configs. I've made so many changes in past 72
> hours I can't even remember my name. Please help.

Send debug output.  We will help.

p@rick




-- 
All technical questions asked privately will be automatically answered on the
list and archived for public access unless privacy is explicitely required and
justified.

saslfinger (debugging SMTP AUTH):

new postfix mysql dovecot sasl server "relay access denied"

[Brian Shanahan]

I know the subject seems trivial, but i launched a new mail server Friday
night and have been fighting this all weekend. Very desperate now. I truly
think it boils down to SASL configs. I've made so many changes in past 72
hours I can't even remember my name. Please help.

 

--Brian

Re: How to restrict local users to use the sendmail command?

[Ralf Hildebrandt]

* Georg Sauthoff :

> > Since procmail(1), and other utilities need to be able to forward mail
> > while retaining the original envelope sender address, restricting the
> > envelope sender address in sendmail would be quite disruptive. Postfix
> > does not provide such a feature.
> 
> Ok, that makes sense.
> 
> Thanks for the clarification.

You might be able to use mini_sendmail (which uses SMTP) and SMTP-AUTH
to restrict the envelope sender a certain users can use. But I'm not
sure if it can use SMTP-AUTH :»

-- 
Ralf Hildebrandt
  Geschäftsbereich IT | Abteilung Netzwerk
  Charité - Universitätsmedizin Berlin
  Campus Benjamin Franklin
  Hindenburgdamm 30 | D-12203 Berlin
  Tel. +49 30 450 570 155 | Fax: +49 30 450 570 962
  ralf.hildebra...@charite.de | http://www.charite.de

Re: postfix miltiligne greeting patch

[Wietse Venema]

m...@smtp.fakessh.eu:
> Le dimanche 26 juin 2011 20:54, Wietse Venema a ?crit?:
> > m...@smtp.fakessh.eu:
> > > I just set up the multi-line greeting patch .
> >
> > What patch? The official Postfix documentation has no multi-line
> > banner support.
> >
> 
> is it possible to declare a personal banner
> 
> http://postfix.wl0.org/en/smtpd-multiline-banner/

As documented by its author, this patch implements multi-line banner
support to the POSTFIX SMTP SERVER. Again, if this does not work
as you expect, please contact the maintainer of this patch.

Wietse

> 
> > > So I have to declare another banner and surprise the result is not
> > > comparable with the official documentation.
> >
> > If it does not work, ask the maintainer.
> >
> > Wietse
> 
> -- 
> ?http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
> ?gpg --keyserver pgp.mit.edu --recv-key 092164A7
-- End of PGP section, PGP failed!

Re: postfix miltiligne greeting patch

[Sahil Tandon]

On Sun, 2011-06-26 at 21:06:17 +0200, m...@smtp.fakessh.eu wrote:

> is it possible to declare a personal banner

http://www.postfix.org/postconf.5.html#smtpd_banner

> http://postfix.wl0.org/en/smtpd-multiline-banner/

If you have questions related to third-party, unsupported patches,
please direct them to the appropriate maintainer.

-- 
Sahil Tandon 

Re: postfix miltiligne greeting patch

[m...@smtp.fakessh.eu]

Le dimanche 26 juin 2011 20:54, Wietse Venema a écrit :
> m...@smtp.fakessh.eu:
> > I just set up the multi-line greeting patch .
>
> What patch? The official Postfix documentation has no multi-line
> banner support.
>

is it possible to declare a personal banner

http://postfix.wl0.org/en/smtpd-multiline-banner/


> > So I have to declare another banner and surprise the result is not
> > comparable with the official documentation.
>
> If it does not work, ask the maintainer.
>
>   Wietse

-- 
 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
 gpg --keyserver pgp.mit.edu --recv-key 092164A7


pgpo1mx3EqpYd.pgp
Description: PGP signature

Re: postfix miltiligne greeting patch

[Wietse Venema]

m...@smtp.fakessh.eu:
> I just set up the multi-line greeting patch . 

What patch? The official Postfix documentation has no multi-line
banner support.

> So I have to declare another banner and surprise the result is not comparable 
> with the official documentation. 

If it does not work, ask the maintainer.

Wietse

postfix miltiligne greeting patch

[m...@smtp.fakessh.eu]

Hello folks
Hello list. 

I just set up the multi-line greeting patch . 
So I have to declare another banner and surprise the result is not comparable 
with the official documentation. 

I do not understand the system of newline \ n 
this is not working

what is the right solution
-- 
 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0x092164A7
 gpg --keyserver pgp.mit.edu --recv-key 092164A7


pgp6j5gFiAFaB.pgp
Description: PGP signature

Re: how to lookup user via LDAP in Postfix

[mouss]

Le 22/06/2011 22:07, Zhou, Yan a écrit :
> Hi there, 
> 
> (This is indeed a postfix question).
> 
> I am using Postfix and DoveCot together, and my /etc/postfix/master.cf
> looks like this:  (using DoveCot LDA to deliver to user mailboxes)
> 
> dovecot   unix  -   n   n   -   -   pipe
>flags=Rhu user=hubdirect argv=/usr/libexec/dovecot/deliver -f
> ${sender} -d ${recipient}
> 
> Right now the ${recipient}  is the address. I want to specify the user
> that associates with the address.  

do that in dovecot.

> This needs to be done via LDAP
> lookup because we are using virtual users.
> 
> How does Postfix know the user, with a given address? 

what is a "user"?

if you insist on doing this in postfix, then
1) use virtual_alias_maps to convert the address to
someuser@fixeddomain.example.

2) in the pipe that defines dovecot, use -d ${user}

but note:
- this removes the domain part, so you must make sure all users map to a
different user in the fixeddomain.example

- this doesn't pass the '+' extension. so you can't use this feature in
dovecot (storing extension mail in subfolders).

you've been warned.

> Is that a configuration in Postfix?

when delivering with "virtual", virtual_uid_maps and virtual_gid_maps
yield the uid and gid of the mailbox. but that's when postfix delivers
mail. not if using an external MDA or relaying mail to another server.

> 
> I know how to verify domain and address with Postfix integrating with
> LDAP. Is there any way a username lookup can be done via LDAP lookup?  
> 
> Thanks,
> Yan
> 
> 
> 
> 
> 
> Confidentiality Notice: The information contained in this electronic 
> transmission is confidential and may be legally privileged. It is intended 
> only for the addressee(s) named above. If you are not an intended recipient, 
> be aware that any disclosure, copying, distribution or use of the information 
> contained in this transmission is prohibited and may be unlawful. If you have 
> received this transmission in error, please notify us by telephone (513) 
> 229-5500 or by email (postmas...@medplus.com). After replying, please erase 
> it from your computer system.
> 

Re: permit_dnswl_client vs. reject_unauth_destination

[/dev/rob0]

On Fri, Jun 24, 2011 at 09:47:09PM -0700, Rich Wales wrote:
> This question came up after I tried to use the abuse.net mail relay 
> test site (http://verify.abuse.net/relay.html) to verify that my 
> server was not misconfigured as an open relay.  But since their 
> site that tries a laundry list of possible relay techniques 
> (verify.abuse.net, 64.57.183.77) is currently listed in 
> zen.spamhaus.org -- a list which I am using in a reject_rbl_client 
> in my smtpd_client_restrictions, as well as including it (with a 
> high score) in my postscreen_dnsbl_sites -- the abuse.net tests are 
> being rejected by my server because of the blacklist, instead of 
> because I'm configured to refuse open relaying attempts.
> 
> I tried to bypass this problem by setting up my own private 
> whitelist (in a zone available only on my own LAN) and adding 
> verify.abuse.net's IP address there.  By doing this, I was able
> to convince postscreen to let verify.abuse.net through -- but the 
> relay tests were still being rejected (by smtpd) on the grounds 
> that the client (verify.abuse.net) was in the zen.spamhaus.org 
> blacklist.  Clearly, the permit_dnswl_client (referencing my 
> private whitelist) in my smtpd_client_restrictions was somehow
> not working.

While I appreciate the geeky goodness of a local DNSWL, there are 
simpler ways to get the job done. You can bypass all postscreen tests 
using postscreen_access_list. And then check_client_access to bypass 
smtpd's reject_rbl_client.

That said, the worry of being an open relay is insignificant. An 
incompetent administrator would have a difficult time trying to make 
that happen. A competent one, who reads documentation, is not likely 
to make the mistakes that would cause a Postfix to be an open relay. 
The most common scenario for having an unintentional open relay is 
when the MTA is behind a broken NAT router, which has an internal IP 
address in $mynetworks, and it shows the MTA all connections from 
outside as coming from that internal IP address.

(Clearly you are not in that situation, because DNSBL lookups would 
be meaningless.)

> Now I understand why this is failing.  I guess I'm going to need to 
> do something different with my SMTPD restrictions -- possibly move 
> all my existing client restrictions to be at the end of my list of 
> recipient restrictions (after reject_unauth_destination).

Or better yet, just move on. :) You are not an open relay unless you 
deliberately set it up that way.
-- 
Offlist mail to this address is discarded unless
"/dev/rob0" or "not-spam" is in Subject: header

SV: Problem with relayhost

[Anders Norrbring]

> On 25.06.2011 17:00, Anders Norrbring wrote:
> > Hiya all.
> > I'm trying to make relayhost to work, but I get "Relay access denied"
> no
> > matter what I try.
> > The server is running openSUSE 11.3 x86_64, and the following
> packages are
> > installed:
> >
> 
> > My main.cf has these related lines:
> > lmtp_sasl_auth_enable = yes
> > lmtp_sasl_password_maps = hash:/etc/postfix/lmpt_pass
> > relayhost = smtp.bredband2.com
> >
> > And the sasl_passwd has this entry:
> > smtp.bredband2.com user:pa!ss
> >
> > What am I missing? The relay works fine from Thunderbird and MS
> Outlook with
> > the very same user:pass combination.
> 
> Try using smtp_sasl_xxx instead of lmtp_sasl_xxx.
> 
> Sandy

Sandy,
I had the relevant smtp options, but forgot to write them in my mail to the 
list.
The problem was that I didn't run postmap on the password file. It runs just 
fine now.

Anders.

Re: How to restrict local users to use the sendmail command?

[Georg Sauthoff]

On Sat, Jun 25, 2011 at 03:50:14PM -0400, Victor Duchovni wrote:
> On Sat, Jun 25, 2011 at 07:45:48PM +0200, Ralf Hildebrandt wrote:
 
> > > And how do I allow only a restricted set of envelope from values (with 
> > > sendmail
> > > -f)?
> 
> > I think this is not possible.
 
> Correct, sendmail(1) is not privileged, and it sets the envelope sender
> used by postdrop(1) either via "-f" or from getpwuid().
 
> Since procmail(1), and other utilities need to be able to forward mail
> while retaining the original envelope sender address, restricting the
> envelope sender address in sendmail would be quite disruptive. Postfix
> does not provide such a feature.

Ok, that makes sense.

Thanks for the clarification.

Best regards
Georg